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Abstract 

Revocation functionality is necessary and crucial to identity-based cryptosystems. Revocable identity-based encryption 
(RIBE) has attracted a lot of attention in recent years, many RIBE schemes have been proposed in the literature but shown to 
be either insecure or inefficient. In this paper, we propose a new scalable RIBE scheme with decryption key exposure 
resilience by combining Lewko and Waters' identity-based encryption scheme and complete subtree method, and prove 
our RIBE scheme to be semantically secure using dual system encryption methodology. Compared to existing scalable and 
semantically secure RIBE schemes, our proposed RIBE scheme is more efficient in term of ciphertext size, public parameters 
size and decryption cost at price of a little looser security reduction. To the best of our knowledge, this is the first 
construction of scalable and semantically secure RIBE scheme with constant size public system parameters. 
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Introduction 

Shamir [1] first introduced the concept of identity-based public 
key cryptography (ID-PKC) where a public key can be an 
arbitrary string such as an email address or a telephone number, 
while the corresponding private key can only be generated by a 
private key generator (PKG) who has the knowledge of the master 
secret. The first secure and practical identity-based encryption 
(IBE) scheme was proposed by Boneh and Franklin [2] from 
bilinear pairings, which is proved to be semantically secure against 
adaptive chosen ciphertext attack (IND-ID-CCA) under the 
Decisional Bilinear Diffie-Hellman (DBDH) assumption in the 
random oracle model. 

Boneh and Franklin's work spurred a great deal of research on 
IBE. One important research direction is to construct provably 
secure IBE schemes in the standard model, because random oracle 
model only provides heuristic security [3]. Canetti, Halevi, and 
Katz [4] defined a weaker security notion for IBE, known as 
selective-ID model, in which the adversary commits ahead of time 
to the identity that it intends to attack. Boneh and Boyen [5] 
proposed two efficient IBE schemes that are secure in the selective- 
ID model without random oracle. The first IBE construction 
(BB1-IBE) is based on the DBDH assumption, while the second 
IBE construction (BB2-IBE) is based on a non-standard Decision 
Bilinear Diffie-Hellman Inversion (DBDHI) assumption. Waters 
[6] improved BB1-IBE scheme and proposed an efficient IBE 
scheme which is proved to be semantically secure without random 
oracles under the DBDH assumption in adaptive-ID model. 
Gentry [7] presented an IBE scheme with short public parameters 
which is proved to be semantically secure without random oracles 



under a non-static assumption in adaptive-ID model. Waters [8] 
introduced a new technique called dual system encryption and 
proposed an IBE scheme that is proved to be semantically secure 
without random oracle under standard (static) assumption in 
adaptive-ID model. Recendy, Lewko and Waters [9] gave a new 
dual system encryption realization of IBE from composite order 
bilinear groups, which is proved to be semantically secure without 
random oracle under the subgroup decision assumption in 
adaptive-ID model. 

Another important research direction is to construct IBE 
schemes with efficient revocation. Suppose that Alice has left the 
organization or her private key is compromised or stolen by an 
adversary in some scenarios [10]. On the one hand, Alice will be 
withdrawn from the right of accessing the information with respect 
to her public key. On the other hand, Alice's private key will be 
revoked to prevent the adversary with her compromised private 
key to access confidential data encrypted under her public key. 
Thus, revocation functionality is necessary and crucial to public- 
key cryptosystems. In the public key infrastructure setting, 
numerous solutions have been proposed, such as periodic 
publication mechanisms (e.g. certificate revocation list) and online 
query mechanisms (e.g. online certificate status protocol). In the 
ID-PKC setting, however, key revocation is non-trivial. This is 
because a user's identity is itself a public key, thus one can not 
simply change her public key, as this changes her identity as well. 
An ideal revocation method for IBE is that a sender can generates 
a ciphertext as the same as that of IBE without worrying about the 
revocation of a receiver and only the receiver needs to check the 
revocation of his private key to decrypt the ciphertext. 
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Revocable IBE (RIBE) has attracted a lot of attention in recent 
years, many RIBE schemes have been proposed [2,1 1—15]. Boneh 
and Franklin [2] proposed a trivial method to achieve revocation 
functionality for IBE (BF-RIBE for short) by representing an 
identity as ID||T where ID is the real identity and T is a current 
time. Since new decryption keys are needed to be issued by the 
PKG for each time period, this introduces huge overheads for 
PKG that are linearly increased in the number of users and a 
secure channel is needed between PKG and users to transmit 
updated private key. Thus, BF-RIBE is not scalable. 

Boldyreva et al. [1 1] proposed the first scalable RIBE scheme 
(BGK-RIBE for short) by combining Sahai and Waters' fuzzy IBE 
scheme [16] and Naor et al.'s complete subtree method [17], 
where the PKG's overhead increases logarithmically (instead of 
linearly) in the number of users. The idea of BGK-RIBE scheme 
consists in assigning users to the leaves of a complete binary tree. 
Each user is provided by PKG with a set of private keys skio 
corresponding to his/her identity ID for each node on the path 
from his/her associated leaf to the root of the tree via a secure 
channel as in IBE scheme. PKG broadcasts key updates kuj in 
each time period T for a set Y of nodes that contains no ancestors 
of revoked users and exactly one ancestor of any non-revoked one 
(as illustrated in Figure 1 where the nodes of Y are the squares). 
Then, a user assigned to leaf rj is able to form an effective 
decryption key dkm j for period T if the set Y contains a node on 
the path from the root to r\. By doing so, every update of the 
revocation list RL only requires PKG to perform logarithmic work 
in the overall number of users and no secure channel is required 
between PKG and users. The size of users' private keys also 
logarithmically depends on the maximal number of users. 

Another idea of BGK-RIBE scheme consists in applying fuzzy 
IBE primitive. In fuzzy IBE systems, identities are regarded as sets 
of descriptive attributes instead of a single identity string in IBE 
systems, and a user with private key for the attribute set a> is able 
to decrypt a ciphertext encrypted for an attribute set cu' if and only 
if w and w' have an overlap of at least d attributes. The BGK- 
RIBE scheme uses a special kind of fuzzy IBE where ciphertexts 
are encrypted using the receiver's identity and the period number 
as "attributes". The decryption key of the receiver has to match 
both attributes to decrypt the ciphertext. For each node on the 
path from the root to its assigned leaf, the user is given a key 
attribute that is generated using a new polynomial with degree 1 
for which the constant term is always the master secret. The same 
polynomials are used, for each node, to generate key updates. To 



compute a decryption key for period T, each user thus needs to 
combine two key attributes associated with the same node of the 
tree. Since there is no adaptive-ID secure fuzzy IBE scheme in the 
literature, BGK-RIBE scheme [1 1] is only proved to be secure in 
selective-ID model. 

Later, Libert and Vergnaud [12] proposed the first adaptive-ID 
secure scalable RIBE scheme (LV-RIBE for short) based on same 
idea as BGK-RIBE scheme, but, instead of using fuzzy IBE 
scheme, they applied the idea of two-level hierarchial IBE scheme 
(HIBE for short). They use adaptive-ID secure Libert and 
Vergnaud's black-box accountable authority IBE scheme [18] in 
the first level to handle user's long term private keys (associated 
with identities), and use selective-ID secure Boneh and Boyen's 
BB 1 -IBE scheme [5] in the second level to handle decryption keys 
(associate with time periods). Seo and Emura [13] refined the 
security model of RIBE by considering the decryption key 
exposure attacks, and proposed a scalable RIBE scheme (SE- 
RIBE for short) with decryption key exposure resistance based on 
same idea as LV-RIBE scheme. Seo and Emura use adaptive-ID 
secure Waters IBE scheme [6] in the first level to handle user's 
long term private keys, and use selective-ID secure BB1-IBE 
scheme [5] in the second level to handle decryption keys. Recently, 
Park et al. [14] proposed a scalable RIBE scheme with shorter 
private key and update key by using multilinear maps, but the size 
of the public parameters is dependent to the number of users. Lee 
et al. [15] presented a new technique for RIBE that uses the subset 
difference method instead of using the complete subtree method to 
improve the size of update keys. 

Existing adaptive-ID secure scalable RIBE constructions are 
built on combining two-level HIBE schemes and complete subtree 
method, and proved security with partition strategy in which the 
space of identities is partitioned into the set of identities for which a 
valid secret key can be simulated and those for which a valid 
challenge ciphertext can be simulated. 

In this paper, we propose an efficient adaptive-ID secure 
scalable RIBE scheme by combinineg two-level Lewko and Waters 
HIBE scheme [9] and complete subtree method. To prove security 
for our RIBE scheme in adaptive-ID model, we adopt Waters dual 
system encryption methodology [8] . However, we can not use dual 
system encryption methodology directly to prove the security of 
RIBE schemes. This is because an adversary in RIBE schemes can 
issue private key query for the challenge identity ID* as long as 
ID* has been revoked before the challenge time T*, while an 
adversary in IBE schemes can not issue private key query for the 




Figure 1. Example of KUNode Algorithm. Assume that the user associated with node 9 is revoked. As figure illustrated, user assigned to leaf 
node 7 has subkeys of node 7, 3, 1 and root. In time period T, only user assigned to leaf node 9 is revoked, the square nodes are update nodes set 
outputted by the KUNode algorithm, it's obvious that this set does not contain any node on the path from node 9 to root node. 
doi:10.1371/journal.pone.0106925.g001 
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challenge identity ID*. Furthermore, as stated in Seo and Emura 
[13], an adversary in a scalable RIBE scheme with decryption key 
exposure resistance may obtain not a private key sk\o, but a 
decryption key dk\Y>*j, an d ID* can still be alive in the system in 
the challenge time period T* # T. 

To make dual system encryption methodology work properly, 
we need to make sure that all decryption keys, including those 
generated by the adversary, are semi-functional in the last step. It 
is not a trivial job to accomplish this transformation directly. To 
circumvent this issue, our approach is to design semi-functional 
private key and semi-functional update key, and generate a semi- 
functional decryption key from a semi-functional private key or a 
semi-functional update key. 

During registration, PKG assigns a user with identity ID to a 
leaf node 17 of a complete binary tree, and issues the private key 
skiu for identity ID which is composed by a set of subkeys 
s k\D,6 = {(Ki,K2,Kj)}g e p Mh ^, wherein each subkey is associated 
with a node on Path(>7). At time period T, PKG broadcasts the 
update key kuj which is composed by a set of subkeys 
kurfi = {(Ui,U2,Ui)}0 e Y, wherein each subkey is associated with 
a node in Y. An intuitive way to make all decryption keys be semi- 
functional in the last step is to transform all subkeys of all private 
keys or all subkeys of update keys from normal form into semi- 
functional form. However, similar to the security proof in Lewko 
and Waters' IBE scheme [9], the adversary cannot issue private 
key query for identities which are equal to the challenge identity 
ID* modulo P2, and cannot issue update key query for time 
periods which are equal to the challenge time T* modulo pi, 
namely all subkeys of these private keys and all subkeys of these 
update keys can not be transformed. On the one hand, if we 
transform either all subkeys of the corresponding private key sk\£, 
satisfying ID ^ ID* mod P2 or all subkeys of the corresponding 
update key kuj satisfying T ^ T* mod pi from normal form into 
semi-functional form independently, the resulting decryption keys 
dk\oj may not be semi-functional. On the other hand, if we 
transform all subkeys of the corresponding update key kuj from 
normal form into semi-functional form, this will result in security 
degradation 0(r log (N/r)) when r<N/2, and security degrada- 
tion about O(N-r) when r>N/2, where N is the number of 
users and r is the number of revoked users. 

To solve the problem of security degradation, we take 
advantage of the special structure of complete subtree method. 
We do not need to transform all subkeys of skm that satisfy 
ID ID* mod P2 and all subkeys of kuj that satisfy 
T # T* mod P2 from normal form into semi-functional form, we 
just need to transform subkeys of above skm that satisfy 
0ePath(i;) A 9 $ Path(i7*), and subkeys of above kuj that satisfy 
and 8'eY A 0'ePath (if) from norm form into semi-functional 
form, where rj and if are leaf nodes of binary tree that assigned to 
ID and ID*, respectively. Thus, security degradation is reduced to 
0(1) per transformation of a update key. 

Compared to existing adaptive-ID secure scalable RIBE 
schemes, our RIBE scheme is more efficient in term of ciphertext 
size, public parameters size and decryption cost at price of a little 
looser security reduction. To the best of our knowledge, this is the 
first construction of scalable semantically secure RIBE scheme 
with constant size public system parameters. Table 1 shows a 
comparison between our RIBE scheme and existing RIBE 
schemes. 

The rest of the paper is organized as follows. In Section 2, we 
introduce some preliminary works necessary for our constructions, 
such as bilinear group generator and complexity assumptions. In 
Section 3, we give formal syntax and security definitions of RIBE. 
In Section 4, we describe our RIBE construction. In Section 5, we 
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prove our RIBE construction are IND-RID-CPA secure. Finally, 
we conclude the paper in Section 6. 

Preliminaries 

Bilinear group generator and complexity assumptions 

Definition 1. (Bilinear Group Generator) A bilinear group 
generator Q is an algorithm that takes as input a security parameter 
k and outputs a bilinear group (n,G,Gj,e), where G and Gj are 
cyclic groups of order n, and e: G x G->Gr is a bilinear map with 
the following properties: 

• Bilinearity: For all gJieG and a,beZ„, we have 

e{g a ,h b ) = e(g,hf b - 

• Non-degeneracy: There is an element geG such that e(g,g) has 
order n in Gt- 

• Computability: There is an efficient algorithm to compute 
e(gi,g2)for all gug 2 eG. 

Denote G(l K )->(n=p,G,GT,e) a prime order bilinear groups 
generator, where p is a prime. We call Q(l K )—>(n = p\p 2 p 3 ,G,Gj ,e) 
a composite order bilinear groups generator, where p\, p 2 and p 3 
are distinct primes. The subgroups of order p\,P2 and p 3 in G are 
denoted by G Pl , G Pl and G P3 , respectively. Note that when hteG Pt 
and hj-eGpj for we have e(hf,hj) is the identity element in G7-. 

Definition 2. (Decision Bilinear Diffie-Hellman Assumption) 
Given a prime order bilinear group (p, G,Gj,e) generated by Q(\ K ), 
we define the following two distributions: 



Adv\g A {K) = \Pt[A{D,L i )=\\ -Vr[A(D,L 2 )=\\\. 

We note that L\ can be written (uniquely) as the product of an 
element of G^, and an element of G ; ,, . We refer to these elements 
as the "G^, part of L\" and the "G^,, part of L\" respectively. 

Definition 3. We say that Q satisfies the subgroup decision 
Assumption 1 if Adv\gjfK) is a negligible function of k for any 
polynomial time algorithm A. 

Assumption 2. (Subgroup decision problem for 3 primes) 
Given a composite order bilinear group generator Q(\ K ), we define 
the following two distributions: 

G = (n=p lP2 p 3 ,G,G T ,e) I Q(l K ), g, X x I G Pl , X 2 ,Y 2 
<- G PZ , X 3 ,Y 3 «- G P3 , 

D = (G,g,X l X 2 ,X i ,Y 2 Y i ), L\ lG,L 2 l G pm , 

We define the advantage of an algorithm A in breaking the 
subgroup decision assumption 2 to be: 



V 0 (K)=(g,g",g h ,g c ,e(g, g y hc ) and V 1 (k)= (g,g" ,g'\g c ,e(g,gf) 

$ $ 
where g <- G and a,b,c,z <— Z p . The DBDH problem in the prime 

order bilinear group (p,G,Gr,e) is to decide a bit b from given 2?j, 

$ 

where b «-{0,l}. The advantage of an algorithm A in solving the 
DBDH problem in the prime order bilinear group (/7,G,Gr,e) is 
defined by 



Adv° B A DH ( K ) = \ Pr[A(V 0 ( K ))^l] - Pr[^(D,( K ))^l]| 

We say that the DBDH assumption holds in the prime order 
bilinear group (p,G,Gr,e) if no probabilistic polynomial time 
(PPT) algorithm has a non-negligible advantage in solving the 
DBDH problem in the prime order bilinear group (p,G,Gr,e). 

Assumption 1. (Subgroup decision problem for 3 primes) 
Given a composite order bilinear group generator Q(1 K }, we define 
the following two distributions: 



<S> = (n=Pip 2 pi, G,G r ,e) ^ G(V% g <- G p , X 3 <- G ; 



D=(G, g ,x 3 ), l 1 Ig Pi1 , 2 ,l 2 Ig pv 

We define the advantage of an algorithm A in breaking the 
subgroup decision assumption 1 to be: 



Adv2 gA ( K ) = \Pr[A(D,L x )= 1] - Pr[A{D,L 2 ) = \\\. 

Definition 4. We say that Q satisfies the subgroup decision 
Assumption 2 if Advlg j^ic) is a negligible function of k for any 
polynomial time algorithm A. 

Assumption 3. (Subgroup decision problem for 3 primes) 
Given a composite order bilinear group generator Q(\ K ), we define 
the following two distributions: 



G = (n=p l p 2 p i ,G,Gr,e) <- <5(l' c ), a,s <- Z„, 



gl G p . ,X 2 ,Y 2 ,Z 2 I G P2 ,X 3 I G t 



D = (G,g,g*X 2 ,X 3 ,g*Y 2 ,Z 2 \ L x =e{g,gr\ L 2 <- G r . 

We define the advantage of an algorithm A in breaking the 
subgroup decision assumption 3 to be: 



Adv3g A (K) = \Pr{A(D,L l )= 1] -Pr{A(D,L 2 )= 1]|. 

Definition 5. We say that Q satisfies the subgroup decision 
Assumption 3 if Adv'ig jfic) is a negligible function of k for any 
polynomial time algorithm A. 
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KUNode Algorithm 

The KUNode algorithm was proposed by Boldyreva et al. [11] 
to achieve efficient revocation for IBE schemes. In the description 
hereafter, we employ similar notations as in [1 1]. Denote the root 
node of the tree T by root. If rj is a leaf node, we denote the set of 
nodes on the path from r\ to root by Path(f/). If f/ is a non-leaf 
node, we denote the left and right child of )? by rj L and r\ R , 
respectively. 

At each time period, KUNode algorithm determines the 
smallest subset YcT of nodes that contains an ancestor of all 
leaves corresponding to non-revoked users. This minimal set 
precisely contains nodes for which key updates have to be 
publicized in such a way that only non-revoked users will be able 
to generate the appropriate decryption key for the matching 
period. To identify the set Y, KUNode algorithm takes as input a 
binary tree T, revocation list RL and a period number T. If a user 
(assigned to rj) is revoked on time T, then (rj,T)eKL. KUNode 
algorithm first marks all ancestors of users that were revoked by 
time T as revoked nodes. Then, it inserts in Y the non-revoked 
children of revoked nodes. The description of KUNode(T,RL, 7") 
is given in Table 2 Algorithm 2. 

The example illustrated in Figure 1 can be used to help the 
reader understand the KUNode(T,RL,T) algorithm. Assume that 
a user associated with node Xg is revoked, then 
X = Path(A"9) = {x9,X4,xi, root = A'o} and Y = {x2,xi,xio}. Intui- 
tively, all users, except the user associated with noed Xg, have a 
node xeY that is contained in the set of nodes on the path from 
their assigned node to root, whereas YnPath(x9) = j3. 

When a user joins the system, PKG assigns a leaf node r\ of a 
complete binary tree to the user, and issues a set of keys, wherein 
each key is associated with a node on Pathfif). At time period T, 
PKG broadcasts key updates for a set KUNode(T,RL,T). Then, 
only non-revoked users have at least one key corresponding to a 
node in KUNode(T,RL,T) and are able to generate decryption 
keys on time T. 

Dual System Encryption 

Dual system encryption is a proof methodology first introduced 
by Waters [8], which opens up a new way to prove adaptive 

Table 2. Algorithm 2: KUNode Algorithm KUNode(T,RL,T). 



X,Y^ j». 
V(i/ ( ,T/)eRL 
if T, <T then 

Add Path(>/,-) to X 
end if 
VxeX 

if x L fX then 
Add x L to Y 
end if 

if x R fX then 
Add x M to Y 
end if 

if Y= 0then 

Add root to Y 
end if 

Return Y 

doi:1 0.1 371 /journal.pone.01 06925.W02 



security under simple assumptions for IBE and related encryption 
systems. 

In a dual system encryption system, both ciphertexts and private 
keys can take on one of two indistinguishable forms [9] . A private 
key or ciphertext is normal if they are generated from the system's 
key generation or encryption algorithm. Semi-functional cipher- 
texts and private keys are not used in the real system, they are only 
used in the security proof. A normal private key can decrypt 
normal or semi-functional ciphertexts, and a normal ciphertext 
can be decrypted by normal or semi-functional private keys. 
However, decryption will fail with high probability if one attempts 
to decrypt a semi-functional ciphertext with a semi-functional 
private key. 

Unlike previous proof technique called partitioning strategy 
which partitions the identity space into two parts, dual system 
encryption defines a sequence of games and proves their 
indistinguishabflity with the real game. The first game is the real 
security game in which the challenge ciphertext and private keys 
are normal. In the next game, the ciphertext is switched from 
normal to semi-functional, while all the private keys are normal. 
For an adversary that makes q private key requests, games 1 
through q follow. In game k, the first k private keys are semi- 
functional while the remaining private keys are normal. In game q, 
all the private keys and the challenge ciphertext given to the 
adversary are semi-functional. Hence none of the given private 
keys are useful for decrypting the challenge ciphertext. At this 
point, At this point proving security becomes relatively easy since 
the reduction algorithm does not need to present any normal 
private keys to the adversary and all semi-functional private keys 
are useless for decrypting a semi-functional ciphertext. 

Syntax and Security Definitions of RIBE 

In this section, we recall the syntax and security model of RIBE 
as defined in [13]. Unlike the syntax definition in [13], we define 
the decryption key generation algorithm as probabilistic rather 
than deterministic. A RIBE scheme can be defined by the 
following seven polynomial-time algorithms: 

Setup The stateful setup algorithm is run by the PKG, which 
takes a security parameter K and a maximal number of users N as 
input, it outputs the public parameter mpk, the master secret key 
msk, the initial revocation list RL = jd, and a state ST. We assume 
that the message space M and the identity space I, the time space 
T, and the ciphertext space CT are contained in mpk. 

Extract The stateful private key extract algorithm is run by the 
PKG, which takes mpk, msk, an identity IDel, a state ST as input, 
it outputs a secret key skm associated with ID and an updated 
state ST. 

KeyUpdate The key update generation algorithm is run by the 
PKG, which takes mpk, msk, the key update time TeT, the 
current revocation list RL, and ST as input, it outputs the key 
update kuj. 

DKeyGen The probabilistic decryption key generation algo- 
rithm is run by a user, which takes mpk, sk\£, , and kuj as input, it 
outputs a decryption key dkiuj to be used during period T or a 
special symbol _L indicating that ID was revoked. 

Encrypt The probabilistic encryption algorithm is run by a 
sender, which takes mpk, IDel, TeT, and a message wieM as 
input, it outputs a ciphertext c. 

Decrypt The deterministic decryption algorithm is run by the 
receiver, which takes mpk, (&id,t, an d c as input, it outputs m or 
_L if C is an invalid ciphertext. 

Revoke The stateful revocation algorithm is run by the PKG, 
which takes an identity to be revoked IDel, a revocation time 
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TeT, the current revocation list RL, and a state ST as input, it 
outputs an updated RL by adding ID as a revoked user at time T. 

We have a basic consistency requirement that for any 
(mpk, m*fc)<-Setup(l K ,iV), wteM, all possible state ST, and a 
revocation list RL, if IDel is not revoked before or at time TeT, 
then for (s/:T D ,ST)<-Extract(m/>/:,«7sA;,ID,ST), fa/ T <- KeyUpdate 
(mpk,msk,T,TlL,ST), and dkiDj<—DKeyGen(mpk,skiD,kuT-), the 
following equation holds. 



Deer jpt(mpk,dkiD j, Encrypt(«?/>/:,ID,T,m)) = m 



The property of indistinguishability under adaptively chosen 
identity and chosen plaintext attack (IND-ID-CPA) is considered a 
basic requirement for provably secure IBE schemes. For RIBE 
scheme, we define indistinguishability under adaptively chosen 
revocable identity and chosen plaintext attack (IND-RID-CPA) by 
the following game between an adversary and a challenger. Note 
that the security model captures realistic threats including 
decryption key exposure [13]. 

Definition 6. Let II be a RIBE scheme, we say that TI is IND- 
RID-CPA secure if any PPT adversary A has negligible advantage 
in this following experiment: 



• DKeyGen Oracle: For IDel and TeT, it runs Extract 
(mpk,msk,ID,ST)—fskiD and DKeyGen(«i/>/c,.s£iD,A:i;T)-> 
cftiD.T, then returns dkmj. 

The adversary A is allowed to query above oracles with the 
following restrictions: 

• KeyUpdate Oracle and Revoke Oracle can be queried on 
time which is greater than or equal to the time of all previous 
queries, i.e. the adversary is allowed to query only in non- 
decreasing order of time. 

• Revoke Oracle cannot be queried on time T if KeyUpdate 

Oracle was queried on T. 

• If Extract(ID*) was queried, then Revoke(ID*,T) must be 
queried for T<T*. 

• DKeyGen Oracle cannot be queried on time T before 
KeyUpdate Oracle was queried on T. 

• KeyGen(ID*,T*) cannot be queried. 

This definition naturally extends to the chosen ciphertext 
scenario where the adversary is further granted access to a 
Decrypt Oracle that, on input of a ciphertext c and a pair 
(ID,T), it returns meM or _L by running Decryf>t(mpk,dkir>j,c). 
Of course, Decrypt Oracle cannot be queried on the ciphertext 
c* for the pair (ID*,T*). 



Exp™°- RW - CPA (V\N) 



(mpk,msk,RL, st) <- Setup! 1 K ,N), 



(mo,mi,ID* ,T* ,ST)<^A° (Find, mpk) such that \mo\ = \m\\. 



Our Construction 

In this section, we propose an efficient and provable secure 
RIBE scheme by exploiting Lewko and Waters IBE scheme [9] 
and KUNode algorithm. 

Setup The PKG runs composite order bilinear group generator 

$ 

Q(\ K )^(n=p\p 2 pi,G,GT,e), chooses g,U\,U2,h <- G^,, and 

$ 

a <— Z„. The PKG publishes the public system parameters as 
follows. 



b <-{0,l}, c*<-Encrypt(m/)/c,ID*,T*,»j/,), 



mpk = {n,g,u\ ,h,u 2 ,e(g,gf}. 



b'<-A (Guess, c* , ST), 



return 1 if h' = b and 0 otherwise. 



The adversary A's advantage is defined as follows. 



Adv'» D A - R,D - CPA (K,N) = \Vr[Ex V ™ D A - RID - CPA (\ K ,N) = 1] - - 1. 



In the above experiment, O is a set of oracles defined as follows. 

i Extract Oracle: For IDel, it runs TLxtract(mpk,msk,ID, 

ST)-»(j-A:iD,ST), then returns skm and update state ST. 
' KeyUpdate Oracle: For TeT, it runs KeyUpdate(/M/>/:,m,s£, 

T,RL,ST)— >A:mt, then returns kuj. 
i Revoke Oracle: For IDel and TeT, it runs Ti.e\6ke(mpk, 

ID,T,RL,ST)— >RL, then returns the updated revocation list 

RL. 



The master secret keys are a and a generator of G /)3 . 

Extract The PKG chooses an unassigned leaf from T at 
random, and stores ID in the node For each node fJePath(<7), 
PKG performs as follows. 

$ 

• Recall go if it was defined. Otherwise, gg <— G ln and store 
(ge-,ge=g a /ga) in the node 9. 

Z„ and i?3,i?3,i? 3 <— G„, at random. Note that 



Choose 



we can get a random elements of Gp 3 by taking a generator of 
G p] and raising it to random exponents modulo n. 

• Compute (K u K 2 ,Ki) = (g'«R 3 ,u r {Ri ,g ti (u™h) r « R'i ). 

• Return sk m = {(^, ,A: 2 ,A: 3 )} te p ath( , () . 

KeyUpdate The PKG parses ST = T, and performs the 
following steps for each node 0eKUNode(T,RL,T). 

• Retrieve gg (note that gg is always pre-defined in the Extract 
algorithm). 



Choose sg «- Z„ and Qj,Q'3,Q'i 



->/); ■ 



• Compute (U U U 2 ,U)) = (g s » Qi ,Kf g' 3 ,gg(u T 2 hy» Q'i ). 

• Return ku T = {(C/i,f7 2 ,f7 3 )} teK UNode(T ,rl,t>- 
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DKeyGen User parses sk\Y> = {(d,D\,D 2 ,D 3 )} e ^ Ji and 

kuT = {(6,U\,U2,U3)}g B j^ If JiHJ2= ft then outputs error 

$ 

symbol _L. Otherwise, user chooses 0eJiPiJ2 and r «- Z„ and 
outputs 



dk mj = (D U D 2 ) = (Ki U lg r ,Kj Ul D Ki U-iiufulK?) 



Encrypt A sender chooses a random integer t <- Z„ and 
outputs 



C 0 = Me(g, g y,C x =(ufulh)',C 2 =g>. 

Decrypt The receiver parses C = (Cq,C\,C 2 ) and 
dkmj = (D i ,D 2) and outputs 



e(D 2 ,C 2 ) 



Revoke Let r\ be the leaf node associated with ID. The PKG 
updates the revocation list by RL<-RLU{0?,T)} and returns the 
updated revocation list. 

The correctness of our RIBE construction can be verified as 
follow. 



e(D 2 ,C 2 ) _ ejKjU^K 3 U 3 (i^uJhY^) 
e(DuQ) e(KxU x g',(u™x%h)') 



Co — Co , Ci — Ci g 2 c , C 2 — C 2 g 2 . 

• The semi-functional ciphertext is C = {Co,C\,C 2 ). 

• Semi-functional Private Key: A normal private key 
sk'm ={(Ki ,K 2 ,K 3 )} (tePath( , () is generated by the private key 
generation algorithm for an identity ID. It then chooses 

$ 

y.z^jZ^- <- Z„ and sets: 

K, =K[gl,K 2 =K 2 g : 2 k \ K 3 =K$g y 2 Zk . 

• The semi-functional private key is sk\D = {(Ki,K 2 , 
^3)}fl e p at h(,,)- 

• Semi-functional Update Key: A normal update key 
ku' T ={(Ui ,U 2 ,Ui )WuNode(T,RL,T) is generated by the 
update key generation algorithm. It then chooses 

$ 

l,z u ,z' u <- Z„ and sets: 

U\ = U{gi, U 2 = U' 2 g : 2 "\ U 3 = U^". 

• The semi-functional update key is ku-Y = {(U\,Ui, 

eKUNode(T,RL,T)- 

• Semi-functional Decryption Key: A normal decryption 
key dk\nj ={D\ ,D 2 ) is generated by the decryption key 

$ 

generation algorithm. It then chooses p,Zd <— Z„ and sets: 



e(geg 0 (u\ D "W e+Se+r K g e3 D ^ T ,g') 
e(gio+>o+'R 3 Q } Xu\ D u]h)') 

= e(gega,g') 



= e(g,gf 



Security Proofs 

To prove the security of our RIBE scheme, we first define three 
additional structures: semi-functional ciphertexts, semi-functional 
private keys and semi-functional update keys. For the semi- 
functional type, we let g 2 denote a fixed generator of the subgroup 
G P2 . 

• Semi-functional Ciphertext: A normal ciphertext 

C' = (Co ,C\ ,C 2 ) is first generated by the encryption 

% 

algorithm. It then chooses x,z r <- Z„ and sets: 



Di=D\g' 2 \D 2 = D 2 gl 



• The semi-functional decryption key is c/^id,t = (P \,D 2 ). 

Note that when a semi-functional decryption key is used to 
decrypt a semi-functional ciphertext, the decryption algorithm will 
compute the blinding factor multiplied by the additional term 
Hg2*g2) X ■ If z d = z c, decryption will still work. In this case, 

the decryption key is nominally semi-functional. In our proof, 
normal decryption keys are generated by normal subkeys of 
private keys and normal subkeys of update keys, while semi- 
functional decryption keys are generated by semi-functional 
subkeys of private keys and normal subkeys of update key, or 
normal subkeys of private keys and semi-functional subkeys of 
update keys. 

There are two types of adversaries in simulation. Type-I 
adversary issues private key queries on the challenge identity ID*, 
but the challenge identity should be revoked before the challenge 
time T"; Type-II adversary will never issue private key queries on 
the challenge identity. Obviously, if a RIBE scheme is secure 
against Type-I adversary, it is definitely secure against Type-II 
adversary. For this reason, we only consider Type-I adversary in 
the following security proofs. 

Denote by q s k and qku the number of private key queries for 
non-challenge identities and update key queries for non-challenge 
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time issued by an adversary, respectively. Denote by £ the 
maximum node number a private key involves, and those nodes 
are not on the path from the root node to the challenge node if. 

We give our proof as a sequence of games, which are defined in 
the order as follows. 

• GameA: The actual RIBE security game, where all private 
keys, update keys, decryption keys and the challenge ciphertext 
are normal. 

• GameR: The restricted game, is the actual security game 
except that adversary can not issue private key queries for 
ID = ID'mod pi and update key queries for T = T*mod^2. 
Note that adversary can issue private key queries for 
ID = ID*mod«, but ID* should be revoked before T*. 

• Garne-^: The restricted security game where the challenge 
ciphertext, all i subkeys of first i — 1 private keys and all first j 
subkeys sk^ Q of the z'-th private key sk\ry are semi-functional, 
while all subkeys of the rest private keys and all subkeys of 
update keys are normal. Here 0<j<£, l<i<q s k and 
9 ^Path(f/*). 

• Game| u : The restricted security game where the challenge 
ciphertext, all I subkeys of all private keys, and subkeys kur g of 
the first k update key kiij are semi-functional, while the rest 
subkeys of q s k private key and the rest subkeys of q s k update 
keys are normal. Here 0ePath(f/*). It is obvious that 
Garnet* t = Gamejf*. 

• Gamep\ The final game, is the same as security game Game^" 
except that the challenge ciphertext is a semi-functional 
encryption of a random message. 

Next, we prove the indistinguishability of those games by 
following lemmas. 

Lemma 1. Suppose there exists an algorithm A such that 
Adv < X meA -Adv ( ^"" eR =e, then we can build an algorithm B with 
advantage | in breaking Assumption 2. 

Proof. Given g,X\ X 2 ,X 3 , Yi F3, algorithm B can simulate 
GameA with A. Assume that A produces identities ID and ID* 
such that ID ^ ID* mod n and pi divides ID — ID* with proba- 
bility £ (If A fails to do this, B simply guesses at random). B uses 
these identities to produce a nontrivial factor of n by computing 

Yl 

a = gcd(ID — ID",«). Set b= -, and consider the following three 

a 

cases: 

• Case 1 one of a,b is p\, and the other is pipz 

• Case 2 one of a,b is pi, and the other is piPi 

• Case 3 one of a,b is pi, and the other is pipi 

B can determine if Case 1 has occurred by testing if either of 
( Yi Yt,)" or ( Yi F3)* is the identity element. If this happens, we will 
suppose that a=p\ and b=pipi without loss of generality. B can 
then learn whether T has a G P2 component or not by testing if 
e(T a ,X\Xi) is the identity element. If it is not, then T has a G^, 
component. 

B can determine if Case 2 has occurred by testing if either of 
(XiXi) a or (X\Xi) h is the identity element. Assuming that B has 
already ruled out Case 1 and neither of them is the identity 
element, then Case 2 has occurred. B can learn which of a,b is 
equal to p\p^ by testing which of g a ,g b is the identity. Without loss 
of generality, we assume that a=pi and b=p\p-}. Then, B can 
learn whether T has a G pi component or not by testing if T b is the 
identity element. If it is not, then T has a G^, component. 



B can determine that Case 3 has occurred when the tests for 
both Cases 1 and Case 2 fail. It can learn which of a,b is equal to 
Pi by testing which of X" ,X b is the identity. Without loss of 
generality, we assume that a=pj. B can learn whether T has a 
G P2 component or not by testing whether e(T",YiYi) is the 
identity. If it is not, then G /; , has a G^,, component. 

This completes the proof. 

□ 

Lemma 2. Suppose there exists an algorithm A such that 

Adv 1 ^"" 1 '*- —Adv A 0,0 =e, then we can build an algorithm B with 
advantage e in breaking Assumption 1. 

Proof. B first receives g,X-$ ,L, then simulates Game^ or Gainer 

% 

with A. B chooses a,a\,b,ai <- Z„, sets public parameters as g = g, 
u\ =g" 1 , Ui =g" 1 , h=g b , and sends the public parameters to A. 

• When B is asked to provide a update key with time period T. 
For each node 0eKUNode(T,RL,T), B performs the 
following steps. 

— Retrieve gg (Note that gg is always pre-defined in the 
Extract algorithm). 

— Choose sg,tg,t'g ,tg <- Z„. 

— Compute ( U U U 2 ,U 3 ) = (g i '»X'^,u s ; l X^ Mujh) s "X^ ). 

— Return kll T = {(U U U 2 , L/ 3 )} teK UNode(T,RL,T)- 

• When B is asked for a private key with identity ID. For each 
node fePathOy) where J/ is the leaf node assigned to ID, B 
performs the following steps. 

$ 

— Recall gg if it was defined. Otherwise, gg <— G^, (We can do 
this by by taking the generator of G /;| , g, and raising it to 
random exponents modulo n) and store (gg,gg =g x /gg) in 
the node 9. 

$ 

— Choose rg,yg,yg ,yg <- Z„. 

— Compute (K l ,K 2 ,K 3 ) = (g r <>X^,i^X^ ,gg{u™h) r « X> i: ). 

— Return sk m = {(K u Ki,K 3 )}g €P!itHrl y 

• When B is asked for a decryption key with identity ID and 
time period T, then B successively runs the Extract algorithm, 
KeyUpdate algorithm and DKeyGen algorithm. 

A sends B two message, Mo and M\ , and a challenge identity, 
ID*, challenge time period, T*. B chooses /fe{0,l} randomly. The 
ciphertext is formed as follows. 

C 0 =Mfe{L,gf, Ci=L : ^ C 2 = L. 

This implicitly sets g s equal to the G;,, part of L. If LeG PlP2 , 
then this is a semi-functional ciphertext with 
z c = a\YD* +aiT* + b. We note that the value of z c modulo pi is 
not correlated with the values of a and b modulo p\, so z c is 
properly distributed. If LeG pi , this is a normal ciphertext. Hence, 
simulator B can use the output of A to distinguish between these 
possibilities for L. 

This completes the proof. 

□ 

Lemma 3. Suppose there exists an algorithm A such that 

Adv A " — Ad\' A *'* =e, then we can build an algorithm B 
with advantage e in breaking Assumption 2. 
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Proof. B first receives g,X\X 2 ,X^,Y 2 Y^,L, and picks 

$ 

a,a\,b,a 2 <— Z„, then Z? sets the public parameters as 
g = g, u\=g" { , h = g b , u 2 =g" 2 , e(g,gf and sends the public 
parameters to A. 

• When A issues the i-th private key query for all subkeys 
corresponding to the challenge identity, or subkeys that 
associated with nodes are not on the path from the node 
associated with challenge identity to the root node, B generates 
normal private keys by calling the normal private key 
generation algorithm. Otherwise, B generate the j-th subkey, 
associated with those £ subkeys, of the i-th private key as 
follows. 

1 . For i < k V (i = k Aj < k') and fJePathO?) 

$ 

— Recall gg if it was defined. Otherwise, gg <— G^,, and store 
(gthge=g*/g0) in the node A. 

— Choose rg,yg,y'g ,y§ «- Z„ randomly. 

— Compute (K u K 2 ,K 3 ) = (g r ''(Y 2 Y 3 y",u'{(Y 2 Y i y\ 
ge(ufhr(Y 2 Y 3 y»). 

— Return sk lB = {(Ki ,K 2 ,Ki,)}g^. dMll) . 

2. For i = k Aj = k' and eePathO/), 

$ 

— Recall gg if it was defined. Otherwise, gg <— G Pl and store 
(ge,ge=g*/ge) in the node 9. 

$ 

— Choose H 7 ,w' < — randomly. 

— Compute {K u K 2 ,K 3 ) = (L,L ch -Xf ,ggL : " X$). 

— Return sk m = {(Ki,K 2 ,K 3 )}g B?mn) . 

3. For i>k V (i=k A j>k'), B generates normal private keys 
by calling the normal private key generation algorithm. 

• When A issues a update key query with time period T, then B 
generates normal update keys by calling the normal update key 
generation algorithm. 

• When A issues a a decryption key query with identity ID and 
time period T, then B successively runs the Extract algorithm, 
KeyUpdate algorithm, and DKeyGen algorithm. 

At some point A sends two messages, Mo and Mi , a challenge 
identity ID*, and a challenge time period T* to B. B sets /fe{0,l} 
randomly. The challenge ciphertext is formed as follows. 

C 0 = M ll eiX 1 X2,gT, Ci=(X i X 2 ) :c ,C 2 = X l X 2 . 

We note that this sets g" = X\ and z c = aiID* +a 2 T* + b. Since 
/(ID,T) = fliID + fl2T + 6 is a pairwise independent function 
modulo p 2 , as long as ID^ID*mod^2 and T^T'modpi, z& 
and z c will seem randomly distributed to A. 

If LeG PlP} , then B has properly simulated Gamef t ,i _ l . If LeG, 
then B has properly simulated Game^,. Hence, B can use the 
output of A to distinguish between these possibilities for L. 

This completes the proof. 

□ 

Lemma 4. Suppose there exists an algorithm A such that 

Gamer. Gamef- . n . 

Adv A —Adv A • =e, then we can build an algorithm B 
with advantage e in breaking Assumption 2. 

Proof. This proof is analogous to the proof of lemma 3. 

□ 



Lemma 5. Suppose there exists an algorithm A such that 

Adv A k ~ l —Adv A k , then we can build an algorithm B with 
advantage e in breaking Assumption 2. 

Proof B first receives g,X\ X 2 ,Xt,, Y 2 Yt,,L, and picks 

$ 

a,a\,b,a 2 <— Z„, then B sets the public parameters as 
g = g,u\=g" , ,h = g l \u 2 =g" 1 ,e(g,gf' and sends the public 
parameters to A. 

• When A issues private key query for the challenge identity or 
subkeys that associated with nodes are not on the path from 
the node associated with challenge identity to the root node, B 
generates normal private keys by calling the normal private 
key generation algorithm. Otherwise, for each node 
#ePath(i/), B performs as follows. 

% 

— Recall gg if it was defined. Otherwise, gg <— G ;)1 and store 

(g0,ge=g a /ge) in the node 6. 

$ 

— Choose rg,yg,yg ,yg <- Z„ randomly. 

— Compute {K u K 2 ,K,) = (g r ''(Y 2 Y 3 Y",u r {(Y 2 Y 3 y\ 

ge(u^hy''(Y 2 Y,y i; ). 

— Return sk lD = {(K u K 2 ,K 3 )} BEP;imiy 

• When A issues the update key query for the challenge time 
period, B generates normal update keys by calling the normal 
update key generation algorithm. Otherwise, B performs as 
follows. 

1. For i<k. When 0eKUNode(T,RL,T) A 0^Path(i7*), B 
calls the normal update key generation algorithm. When 
0eKUNode(T,RL,T) A 0ePath(if ), B acts as foUow. Note 
that there is only one node that satisfies this condition in 
each update node set. 

— Retrieve gg. 

— Choose sg,tg,'e,'g <- Z„. 

— Compute (UuU 2 ,U]) = (g s "(Y 2 Yiy>,u s {(Y 2 Y ? ,y>, 
ge(uJhr(Y 2 Y 3 f). 

— Return ku T = {( £/i,£/ 2 ,J7 3 )} teKUNode(T , RL jy 

2. For i = k. When 0eKUNode(T,RL,T) A 0^Path()7*), B 
generates normal update keys by calling the normal update 
key generation algorithm. When 6ePath();*), B performs as 
follows. 

— Retrieve gg. 

— Choose Sg,Wg,Wg <— Z„. 

— Compute (UuU 2 ,U]) = (L,L a 'Xy,goL : "(Xiy°). 

— Return kui = {( C/l,C/2,C/3)}, teK UNode(T,RL.T)- 

— Here we note that z u = a 2 T + b and T^T*, therefore 
both z u = a 2 T + b and z c = a\\T>* -\-a 2 T" -\-b seem ran- 
dom in adversary's view. If T = T*, namely we transform 
update key with time period T*, then we can not ensure 
that z„ = a 2 T*+b and z c = a\ID* +a 2 T* +b seem 
random in adversary's view. 

3. For i>k. When 0eKUNode(T,RL,T), B generates 
normal update keys by calling the normal update key 
generation algorithm. 
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• When B is asked for a decryption key with identity ID and 
time period T, B successively runs the Extract algorithm, 
KeyUpdate algorithm and DKeyGen algorithm. 

At some point A sends two messages, Mo and M\, a challenge 
identity ID*, and a challenge time period T* to B. B sets y8e{0,l} 
randomly. The challenge ciphertext is formed as follows. 



Co = Mfe{X x X 2 ,gf , Q = (JTi X 2 yc ,C 2 = X l X 2 . 

If LeG PlPj , then B has properly simulated GameJt_i. If LeG, 
then B has properly simulated Garne'^. Hence, B can use the 
output of A to distinguish between these possibilities for L. 

This completes the proof. 

□ 

Lemma 6. Suppose there exists an algorithm A such that 

Adv A *" — Adv . e ", then we can build an algorithm B with 
advantage e in breaking Assumption 3. 

Proof. B first receives g,g"X 2 ,X i ,g s Y 2 ,Z 2 ,L, chooses 

$ 

a,b,a',b' <— Z„, then B sets the public parameters as 
g = g, "l =g a \ h=g'\ u 2 =g" 2 , e(g,gf = e(g"X 2 ,g) and sends the 
public parameters to A. 

• When A issues private key queries with the challenge identity 
or nodes on the path from challenge identity node to root 
node, B generates normal private keys by calling the normal 
private key generation algorithm. Otherwise, for each node 
(tePathOy), B performs as follows. 

— Recall gg if it was defined. Otherwise, gg <— Gy,, and store 

{g0, go = 1/ge) in the node 9. 

$ 

— Choose rg,zg,zg,z'g,yg,yg,y'g <- Z„ randomly. 

— Compute (K x ,K 2 ,K i ) = (g r ''Z^ X^" ,u r {Zf x{\ 
g*X 2 gg(ufhTZf xf). 

— Return skvQ = {{K\,Ki,Ki)} BePatHn y 

• When A issues update key query with the challenge time 
period, B generates normal update keys by calling the normal 
update key generation algorithm. Otherwise, B performs as 
follows. 

— If $^Path((/*), B generates normal update keys by calling 
the normal update key generation algorithm. 

— If 6ePsLth(ri*), B performs the following steps. Note that 
there is only one such node in each time period T. 

* Retrieve gg (note that gg is always pre-defined in the 
Extract algorithm). 

* Choose Sg,Vg,Vg,Vg,Wg,Wg,Wg <- Z„. 

* compute (UiMiM])=(g s < l zyx^\ u s ; i zy x'; l >, 

g'X 2 gg(l? 2 lif<>Z V { Xf). 

* Return ku T = {(U u U 2 ,U3)}g EKUNodea ,RL,T) ■ 

• When A issues decryption key query with identity ID and time 
period T, B successively runs the Extract algorithm, 
KeyUpdate algorithm and DKeyGen algorithm. 



At some point A sends two messages, Mo and Mi , a challenge 
identity ID*, and a challenge time period T* to B. B sets /fe{0,l} 
randomly. The challenge ciphertext is formed as follows. 



Co = MpL, Ci = (g s Y 2 ) :c , C 2 = g s Y 2 . 

Here z c = ailT)* +a 2 T* +b. We note that the value ofz c only 
matters modulo p 2 , whereas u\ =g" 1 , u 2 =g ai and h = g b are 
elements of Gy,, , so when a\ , a 2 and b modulo p\ are chosen 
randomly modulo n, there is no correlation between the values of 
fll, a 2 and b modulo p\ and the value 
z c = ailD* +a 2 T* +b mod p 2 . 

If L = e(g,gf s , then this is a properly distributed semi-functional 
ciphertext with message Mfj. If L is a random element of G7-, then 
this is a semi-functional ciphertext with a random message. Hence, 
B can use the output of A to distinguish between these possibilities 
for L. 

This completes the proof. 

□ 

Theroem 1. If above lemmas hold, then our RIBE scheme is 
adoptively secure under assumption 1, 2 and 3. More precisely, for 
any adversary A that makes at most q\ private key queries, q 2 
update key queries against our RIBE scheme, we have 



Adv™ E < l -q x q 2 ( qi Advl G f-(K)\o % N lmlx + q^^ 

Proof. If above assumptions hold, then we have shown by the 
previous lemmas that the real security game is indistinguishable 
from Gamepinalj hi which the value of ji is infbrmation- 
theoretically hidden from the adversary. Hence the adversary 
can attain no advantage in breaking our RIBE scheme. 

This completes the proof. 

Conclusion 

In this paper, we presented a scalable RIBE scheme with 
decryption key exposure resilience in the composite order group 
setting by combining Lewko and Waters' IBE scheme and 
complete subtree method, and proved our proposed RIBE scheme 
to be adaptive-ID secure by employing the recent dual system 
encryption methodology. Compared to existing adaptive-ID 
secure LV-RIBE scheme and SE-RIBE scheme, our proposed 
RIBE construction is more efficient in term of ciphertext size, 
public parameters size and decryption cost at price of a little looser 
security reduction. In our future work, we will focus on 
constructing an adaptive-ID secure RIBE scheme with decryption 
key exposure resilience in the prime order group setting and 
devising an adaptive-ID secure RIBE scheme that can resist 
decryption key exposure attack with a tighter reduction. 
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